Author’s note: This is a re-post from an article I wrote on Medium on December 8, 2018. You can find the original post here. As a reminder, these posts are my opinions only, and do not necessarily reflect the positions of my employer or my professional affiliations.
I’m always on the lookout for better ways to express concisely the spirit and intent of what we are doing with identity. In keeping with digital disruption, transformation, etc., digital identity is the most au courant term but it is giving way to broader and more existential terms, such as Self-Sovereign Identity, Good Identity, and Better Identity.
Then it hit me — maybe it’s about Less Identity!
I arrived at the term ‘Less Identity’ through some fun wordplay (yes, I do this stuff in my spare time). I was thinking about ‘Trust Frameworks’ and ‘Trustless Networks.’ When I factored out the common ‘Trust’, I arrived at ‘Trust[Less Networks and Frameworks].’
Looking at the word, ‘Less’ I said to myself ‘Hey — Less Identity!’ and then‘ Hey, Legally-Enabled Self-Sovereign Identity! That’s a catchy term’ (Please note: this was a fun exercise, not a rigorous academic mathematical exercise.)
Building on this: Legally-Enabled Self-Sovereign Identity or LESS Identity is a nice concise way to describe how I want my identity . I want my identity to be digital, good and better, but in the end, I want my identity to be less than the real me.
So then, the key characteristics of LESS Identity:
Minimum Disclosure: I want to disclose the absolute minimum to get a service or entitlement. If a service only needs to know I am legal to buy or receive something (because of age and/or residency) that’s all they should get — not my name, date-of-birth, or my address.
Full Control: I want full control over what I disclose. Not only at the point in time of the transaction, but all future uses that I may, or may not allow.
Necessary Proofs: I understand, that a someone might not believe what I am providing — that’s ok — I should be able to provide proofs from the right authority — my age as proven by my local government, my academic degree as proven by my university.
Legally-Enabled: All of the preceding requirements backed up by the necessary or applicable legal framework to protect me, and to protect those who are providing services to me (risk goes both ways in any transaction).
All summed up as (say it again!): Legally-Enabled Self-Sovereign or LESS Identity. Yeah, I know this all might sound a bit trite and catchy, but I believe the term really catches the spirit of the requirements we want our world. Just as Ann Cavoukian has captured the spirit of privacy in Privacy By Design, we capture the spirit of identity with LESS Identity.
"I want my identity to be less than the real me". That's profound. Well said Tim.
One problem we have is the multiple senses of "identity". It can mean ME -- who I am -- but it can mean a name or a reference. I reckon the latter sense of identity is all we can work on in digital identity. So, if we're talking about digital identity, then I think you've nailed it.
My digital identity is less than the real me. Way less. And that's a good thing, for many reasons.
It allows me to have a plurality of digital identities.
Each digital identity is a marker or a pointer (that's all a name is). A digital identity is a proxy, literally an approximation. It exists in context and can lose its meaning in other contexts.
The process of creating digital identities (each one mapping from the real person) is a lossy process. Information is discarded, and data minimisation is a cornerstone of privacy. A digital identity should include just the data that really matters about me in a context, and nothing more. The less information in a digital identity the better, assuming that the thing still works to index or disambiguate subjects in the relevant domain or context.
If we can buy into this logical view, then I wonder why we persist in calling these things [digital] identities? Identifiers or indices are more objective and less loaded terms.
Frankly, one of the worst missteps in our field was made in the Laws of Identity which regarded any claim about a digital subject to constitute a "digital identity". This actually inflates the significance of mundane identifiers, customer reference numbers and the like. We shouldn't be personifying database pointers!
So let's clean up the language. Keep "identity" for the rich analog real world, and use "identifier" to refer to administrative pointers used in digital contexts to help keep records straight. I don't think anybody minds that a CRN is "less than the real me". We should hope that it is!
This was great to read. Changed my perspective when trying to convey the message of SSI. Thanks for sharing!